Google Wallet’s week hasn’t been that great. A second major security flaw has been revealed today which could allow a thief to have access to your funds via Google’s prepaid card. This comes on top of revelations that it was possible to crack the PIN on rooted Android devices.
The first, revealed yesterday, is a simple hack – using brute force after gaining access to the encrypted file storing the PIN. The main problem was that it was on device, not on the NFC chip, so it can be accessed by those who have managed to root their phone. So, if you didn’t root your phone, you were fine.
Google, however, denies there is a problem with the study, which was conducted by Zvelo.
“The zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN,” it said in a statement.
Now a second vulnerability has bee found, by TheSmartphoneChamp, and this one does not require a PIN. The thief can simply clean the data via Application Settings, reopen the app and start a new PIN. Once that is done, the thief then can add a Google Prepaid card and then has potential access to your funds because the cards are stored.
It should be pointed out that it has to be a pre-paid card. This vulnerability has been independently verified by The Verge. Google has also confirmed that this security hole does exist, and are working on a fix to patch it up.
So basically, if you’re using the service – put a lock screen on it. Or, uninstall it.